Last Updated: May 20, 2026
FitFlowUp operates on a strict multi-tenant architecture. We collect Profile Information (names, contact details, authentication metadata via Supabase) and Operational Data (membership cycles, check-in history). Every gym’s data—including member lists, staff records, and financial ledger—is logically siloed. Our Row-Level Security (RLS) ensures that data is never leaked between different gym tenants and is only accessible to users with verified permissions (e.g., Gym Owners, Managers).
Our Digital Access Key (QR Code) system facilitates secure gym entry. When a member scans their key, we process proximity data to log the check-in time and verify subscription validity. This data is used exclusively for gym operational efficiency and member activity tracking. We do not track location outside of these explicit "Check-in Terminals."
Financial transactions are processed through Whish Pay. FitFlowUp acts as a ledger that facilitates these payments but does not store sensitive wallet credentials or raw financial keys on our primary database. We retain transaction metadata (e.g., Whish Reference IDs, amounts, and plan snapshots) to provide Gym Owners with accurate payout reports and members with their billing history.
Our platform is built on enterprise-grade infrastructure provided by Supabase (PostgreSQL). All data is encrypted using AES-256 at rest and TLS 1.3 in transit. We maintain redundant backups to prevent data loss, ensuring that your gym’s "Business Flow" remains uninterrupted. We continuously audit our Row-Level Security policies to prevent unauthorized data access.
We retain data as long as a gym maintains an active platform subscription. In the event of a status change to "Expired" or "Past Due," data is preserved for a 5-day grace period to allow for renewal. Upon formal account termination, gym-specific data is subject to a 30-day "cool-down" period before it is permanently purged from our active production clusters, unless legal regulations require longer retention.
Users (Gym Owners and Members) maintain rights under various global privacy frameworks (such as GDPR or CCPA) to access, rectify, or erase their personal data. For gym-specific data (e.g., a member wanting to delete their gym profile), FitFlowUp acts as the service provider; such requests should be initiated through the respective Gym Owner.